fbpx
Wikipedia

IEEE 802.11i-2004

April 12, 2024

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

Replacement of WEP edit

802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher.[1]

Protocol operation edit

IEEE 802.11i enhances IEEE 802.11-1999 by providing a Robust Security Network (RSN) with two new protocols: the four-way handshake and the group key handshake. These utilize the authentication services and port access control described in IEEE 802.1X to establish and change the appropriate cryptographic keys.[2][3] The RSN is a security network that only allows the creation of robust security network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake.[4]

The standard also provides two RSNA data confidentiality and integrity protocols, TKIP and CCMP, with implementation of CCMP being mandatory since the confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP.[5] The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP.

The initial authentication process is carried out either using a pre-shared key (PSK), or following an EAP exchange through 802.1X (known as EAPOL, which requires the presence of an authentication server). This process ensures that the client station (STA) is authenticated with the access point (AP). After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK). In PSK authentication, the PMK is actually the PSK,[6] which is typically derived from the WiFi password by putting it through a key derivation function that uses SHA-1 as the cryptographic hash function.[7] If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.

Four-way handshake edit

 

The four-way handshake[8] is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.

The PMK is designed to last the entire session and should be exposed as little as possible; therefore, keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a pseudo-random function. The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic.

The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL-Key frames):

  1. The AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages. The STA now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match the right Message 1.
  3. The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC.
  4. The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.

Group key handshake edit

The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

  1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a MIC.
  2. The STA acknowledges the new GTK and replies to the AP.

CCMP overview edit

CCMP is based on the Counter with CBC-MAC (CCM) mode of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header.

Key hierarchy edit

RSNA defines two key hierarchies:

  1. Pairwise key hierarchy, to protect unicast traffic
  2. GTK, a hierarchy consisting of a single key to protect multicast and broadcast traffic

The description of the key hierarchies uses the following two functions:

  • L(Str, F, L) - From Str starting from the left, extract bits F through F+L–1.
  • PRF-n - Pseudo-random function producing n bits of output, there are the 128, 192, 256, 384 and 512 versions, each of these output these number of bits.

The pairwise key hierarchy utilizes PRF-384 or PRF-512 to derive session-specific keys from a PMK, generating a PTK, which gets partitioned into a KCK and a KEK plus all the temporal keys used by the MAC to protect unicast communication.

The GTK shall be a random number which also gets generated by using PRF-n, usually PRF-128 or PRF-256, in this model, the group key hierarchy takes a GMK (Group Master Key) and generates a GTK.

MAC frame formats edit

Frame Control field edit

Frame Control field[9]
Subfield Protocol Version Type Subtype To DS From DS More Fragments Retry Power Management More Data Protected Frame Orders
Bits 2 bits 2 bits 4 bits 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit

Protected Frame field edit

"The Protected Frame field is 1 bit in length. The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm. The Protected Frame field is set to 1 only within data frames of type Data and within management frames of type Management, subtype Authentication. The Protected Frame field is set to 0 in all other frames. When the bit Protected Frame field is set to 1 in a data frame, the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 8. Only WEP is allowed as the cryptographic encapsulation algorithm for management frames of subtype Authentication."[8]

See also edit

References edit

  1. ^ "IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements" (PDF). IEEE Standards. 2004-07-23. Retrieved 2007-12-21. (Broken Link)
  2. ^ IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements (PDF), IEEE Standards, 2004-07-23, p. 14, retrieved 2010-04-09
  3. ^ IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements (PDF), IEEE Standards, 2004-07-23, p. 14, retrieved 2010-04-09, RSNA relies on IEEE 802.1X to provide authentication services and uses the IEEE 802.11 key management scheme
  4. ^ IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements (PDF), IEEE Standards, 2004-07-23, p. 5, retrieved 2010-04-09
  5. ^ IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements (PDF), IEEE Standards, 2004-07-23, p. 43, retrieved 2010-04-09 (Broken Link)
  6. ^ "IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements" (PDF). p. 33.
  7. ^ "IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements" (PDF). p. 165.
  8. ^ a b "IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements" (PDF).
  9. ^ . Archived from the original on 2018-04-27. Retrieved 2018-04-27.
General
  • "IEEE 802.11-2007: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications". IEEE. 2007-03-08.
  • "The Evolution of 802.11 Wireless Security" (PDF). ITFFROC. 2010-04-18.

External links edit

April 12, 2024
ieee, 2004, short, amendment, original, ieee, implemented, protected, access, wpa2, draft, standard, ratified, june, 2004, this, standard, specifies, security, mechanisms, wireless, networks, replacing, short, authentication, privacy, clause, original, standar. IEEE 802 11i 2004 or 802 11i for short is an amendment to the original IEEE 802 11 implemented as Wi Fi Protected Access II WPA2 The draft standard was ratified on 24 June 2004 This standard specifies security mechanisms for wireless networks replacing the short Authentication and privacy clause of the original standard with a detailed Security clause In the process the amendment deprecated broken Wired Equivalent Privacy WEP while it was later incorporated into the published IEEE 802 11 2007 standard Contents 1 Replacement of WEP 2 Protocol operation 2 1 Four way handshake 2 2 Group key handshake 3 CCMP overview 4 Key hierarchy 5 MAC frame formats 5 1 Frame Control field 5 2 Protected Frame field 6 See also 7 References 8 External linksReplacement of WEP edit802 11i supersedes the previous security specification Wired Equivalent Privacy WEP which was shown to have security vulnerabilities Wi Fi Protected Access WPA had previously been introduced by the Wi Fi Alliance as an intermediate solution to WEP insecurities WPA implemented a subset of a draft of 802 11i The Wi Fi Alliance refers to their approved interoperable implementation of the full 802 11i as WPA2 also called RSN Robust Security Network 802 11i makes use of the Advanced Encryption Standard AES block cipher whereas WEP and WPA use the RC4 stream cipher 1 Protocol operation editIEEE 802 11i enhances IEEE 802 11 1999 by providing a Robust Security Network RSN with two new protocols the four way handshake and the group key handshake These utilize the authentication services and port access control described in IEEE 802 1X to establish and change the appropriate cryptographic keys 2 3 The RSN is a security network that only allows the creation of robust security network associations RSNAs which are a type of association used by a pair of stations STAs if the procedure to establish authentication or association between them includes the 4 Way Handshake 4 The standard also provides two RSNA data confidentiality and integrity protocols TKIP and CCMP with implementation of CCMP being mandatory since the confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP 5 The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP The initial authentication process is carried out either using a pre shared key PSK or following an EAP exchange through 802 1X known as EAPOL which requires the presence of an authentication server This process ensures that the client station STA is authenticated with the access point AP After the PSK or 802 1X authentication a shared secret key is generated called the Pairwise Master Key PMK In PSK authentication the PMK is actually the PSK 6 which is typically derived from the WiFi password by putting it through a key derivation function that uses SHA 1 as the cryptographic hash function 7 If an 802 1X EAP exchange was carried out the PMK is derived from the EAP parameters provided by the authentication server Four way handshake edit nbsp The four way handshake 8 is designed so that the access point or authenticator and wireless client or supplicant can independently prove to each other that they know the PSK PMK without ever disclosing the key Instead of disclosing the key the access point AP and client encrypt messages to each other that can only be decrypted by using the PMK that they already share and if decryption of the messages was successful this proves knowledge of the PMK The four way handshake is critical for protection of the PMK from malicious access points for example an attacker s SSID impersonating a real access point so that the client never has to tell the access point its PMK The PMK is designed to last the entire session and should be exposed as little as possible therefore keys to encrypt the traffic need to be derived A four way handshake is used to establish another key called the Pairwise Transient Key PTK The PTK is generated by concatenating the following attributes PMK AP nonce ANonce STA nonce SNonce AP MAC address and STA MAC address The product is then put through a pseudo random function The handshake also yields the GTK Group Temporal Key used to decrypt multicast and broadcast traffic The actual messages exchanged during the handshake are depicted in the figure and explained below all messages are sent as EAPOL Key frames The AP sends a nonce value ANonce to the STA together with a Key Replay Counter which is a number that is used to match each pair of messages sent and discard replayed messages The STA now has all the attributes to construct the PTK The STA sends its own nonce value SNonce to the AP together with a Message Integrity Code MIC including authentication which is really a Message Authentication and Integrity Code MAIC and the Key Replay Counter which will be the same as Message 1 to allow AP to match the right Message 1 The AP verifies Message 2 by checking MIC RSN ANonce and Key Replay Counter Field and if valid constructs and sends the GTK with another MIC The STA verifies Message 3 by checking MIC and Key Replay Counter Field and if valid sends a confirmation to the AP Group key handshake edit The Group Temporal Key GTK used in the network may need to be updated due to the expiration of a preset timer When a device leaves the network the GTK also needs to be updated This is to prevent the device from receiving any more multicast or broadcast messages from the AP To handle the updating 802 11i defines a Group Key Handshake that consists of a two way handshake The AP sends the new GTK to each STA in the network The GTK is encrypted using the KEK assigned to that STA and protects the data from tampering by use of a MIC The STA acknowledges the new GTK and replies to the AP CCMP overview editCCMP is based on the Counter with CBC MAC CCM mode of the AES encryption algorithm CCM combines CTR for confidentiality and CBC MAC for authentication and integrity CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802 11 MPDU header Key hierarchy editRSNA defines two key hierarchies Pairwise key hierarchy to protect unicast traffic GTK a hierarchy consisting of a single key to protect multicast and broadcast trafficThe description of the key hierarchies uses the following two functions L Str F L From Str starting from the left extract bits F through F L 1 PRF n Pseudo random function producing n bits of output there are the 128 192 256 384 and 512 versions each of these output these number of bits The pairwise key hierarchy utilizes PRF 384 or PRF 512 to derive session specific keys from a PMK generating a PTK which gets partitioned into a KCK and a KEK plus all the temporal keys used by the MAC to protect unicast communication The GTK shall be a random number which also gets generated by using PRF n usually PRF 128 or PRF 256 in this model the group key hierarchy takes a GMK Group Master Key and generates a GTK MAC frame formats editFrame Control field edit Frame Control field 9 Subfield Protocol Version Type Subtype To DS From DS More Fragments Retry Power Management More Data Protected Frame OrdersBits 2 bits 2 bits 4 bits 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit 1 bitProtected Frame field edit The Protected Frame field is 1 bit in length The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm The Protected Frame field is set to 1 only within data frames of type Data and within management frames of type Management subtype Authentication The Protected Frame field is set to 0 in all other frames When the bit Protected Frame field is set to 1 in a data frame the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 8 Only WEP is allowed as the cryptographic encapsulation algorithm for management frames of subtype Authentication 8 See also editWLAN Authentication and Privacy Infrastructure WAPI China s centralized wireless security method IEEE 802 1AE MACsecReferences edit IEEE 802 11i 2004 Amendment 6 Medium Access Control MAC Security Enhancements PDF IEEE Standards 2004 07 23 Retrieved 2007 12 21 Broken Link IEEE 802 11i 2004 Amendment 6 Medium Access Control MAC Security Enhancements PDF IEEE Standards 2004 07 23 p 14 retrieved 2010 04 09 IEEE 802 11i 2004 Amendment 6 Medium Access Control MAC Security Enhancements PDF IEEE Standards 2004 07 23 p 14 retrieved 2010 04 09 RSNA relies on IEEE 802 1X to provide authentication services and uses the IEEE 802 11 key management scheme IEEE 802 11i 2004 Amendment 6 Medium Access Control MAC Security Enhancements PDF IEEE Standards 2004 07 23 p 5 retrieved 2010 04 09 IEEE 802 11i 2004 Amendment 6 Medium Access Control MAC Security Enhancements PDF IEEE Standards 2004 07 23 p 43 retrieved 2010 04 09 Broken Link IEEE 802 11i 2004 Standard Amendment 6 Medium Access Control MAC Security Enhancements PDF p 33 IEEE 802 11i 2004 Standard Amendment 6 Medium Access Control MAC Security Enhancements PDF p 165 a b IEEE 802 11i 2004 Standard Amendment 6 Medium Access Control MAC Security Enhancements PDF Section of MAC frame formats Archived from the original on 2018 04 27 Retrieved 2018 04 27 General IEEE 802 11 2007 Wireless LAN Medium Access Control MAC and Physical Layer PHY specifications IEEE 2007 03 08 The Evolution of 802 11 Wireless Security PDF ITFFROC 2010 04 18 External links editVulnerability in the WPA2 protocol hole196 1 Archived 2015 11 13 at the Wayback Machine 2 Retrieved from https en wikipedia org w index php title IEEE 802 11i 2004 amp oldid 1182455309, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.